[Pkg-clamav-commits] [SCM] packaging for clamav-unoffical-sigs branch, master, updated. debian/3.3-2-9-g703c0b0
Paul Wise
pabs at debian.org
Sun Jul 5 06:26:16 UTC 2009
The following commit has been merged in the master branch:
commit 703c0b05ffb019800b19c920e973dce0b19e3bd4
Author: Paul Wise <pabs at debian.org>
Date: Sun Jul 5 14:22:43 2009 +0800
Run the script as the clamav user by default and ensure correct ownership of all the files when the sysadmin accepts the cron.d configuration change.
diff --git a/debian/NEWS b/debian/NEWS
index 1fa55aa..5591500 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -4,4 +4,9 @@ clamav-unofficial-sigs (3.5.4-1) unstable; urgency=low
the default configuration, if you would like to keep using them
then please edit your configuration file as directed in it.
+ This version switches to running the script as the clamav user
+ instead of root to enhance security. If you wish to further
+ increase security, please see README.Debian for a technique
+ for running the script as a user separate to clamav.
+
-- Paul Wise <pabs at debian.org> Fri, 19 Jun 2009 15:20:24 +0800
diff --git a/debian/README.Debian b/debian/README.Debian
index b0cd018..baefd33 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -4,3 +4,58 @@
Some of the default settings have been altered, see here for more info:
/usr/share/clamav-unofficial-sigs/conf.d/01-debian.conf
+
+/----------------------------------------------------------------------------
+| Enhanced security
+
+You might like to run the clamav-unofficial-sigs script as a non-root,
+non-clamav user for extra security. To get this working, please follow
+the following steps.
+
+First create a new system user and group 'clamav-unofficial-sigs' and
+add the new user to the ClamAV group.
+
+# adduser --system --no-create-home --disabled-password --disabled-login \
+ --shell /bin/false --group --home /nonexistent clamav-unofficial-sigs
+# adduser clamav-unofficial-sigs clamav
+
+Change the owner/group on the log files and data files to this user.
+
+# chown -R clamav-unofficial-sigs /var/lib/clamav-unofficial-sigs
+# chown -R clamav-unofficial-sigs /var/cache/clamav-unofficial-sigs
+# chown -R clamav-unofficial-sigs /var/log/clamav-unofficial-sigs.log*
+
+Change the owner (but not the group) of the custom data files in the clamav
+database directory to this user.
+
+# chown clamav-unofficial-sigs /var/lib/clamav/*.hdb* /var/lib/clamav/*.ndb*
+
+Change the permissions on the clamav database directory to set the
+sticky bit and group write permission bit. If you installed clamav with
+your package manager you may need to use a command other than chmod to
+make this more permanent. On Debian, please use dpkg-statoverride.
+
+# dpkg-statoverride clamav clamav 1775 /var/lib/clamav
+
+Edit the cron file and logrotate configuration to use this user.
+
+# sed -ire 's/root|clamav/clamav-unofficial-sigs/g' \
+ /etc/cron.d/clamav-unofficial-sigs /etc/logrotate.d/clamav-unofficial-sigs
+
+This setup prevents the script from running inappropriate commands as
+root and also prevents the script from modifying the official ClamAV
+signature databases.
+
+The package is not setup like this by default because packages should not
+modify the permissions of other packages files and directories.
+
+/----------------------------------------------------------------------------
+| Running as root
+
+If for some reason you want to run the clamav-unofficial-sigs script as root,
+you will need to tell the script to chown the database files like this:
+
+# echo \# Running the script as root >> /etc/clamav-unofficial-sigs.conf
+# echo clam_user=clamav >> /etc/clamav-unofficial-sigs.conf
+# echo clam_group=clamav >> /etc/clamav-unofficial-sigs.conf
+# sed -i -e '/^[^#]/s/clamav/root/g' /etc/cron.d/clamav-unofficial-sigs
diff --git a/debian/changelog b/debian/changelog
index 1c87f6f..884753f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ clamav-unofficial-sigs (3.5.4-1) UNRELEASED; urgency=low
* New upstream release
* Document removal of mediam and high risk databases
* Document that some of the default settings are altered
+ * Run the script as the clamav user by default and
+ ensure correct ownership of all the files when the
+ sysadmin accepts the cron.d configuration change.
-- Paul Wise <pabs at debian.org> Sun, 05 Jul 2009 14:12:31 +0800
diff --git a/debian/debian.conf b/debian/debian.conf
index cf9452b..eacc0d4 100644
--- a/debian/debian.conf
+++ b/debian/debian.conf
@@ -39,3 +39,8 @@ pkg_rm="apt-get --purge remove clamav-unofficial-sigs"
# Needed before the script will operate
user_configuration_complete="yes"
+
+# We run the script as the clamav user by default
+# so turn off the chown calls, which will fail
+unset clamav_user
+unset clamav_group
diff --git a/debian/postinst b/debian/postinst
index 15f8cea..a4d3779 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -11,6 +11,35 @@ if [ "$1" = configure ] ; then
if [ ! -s "$gpg_dir/publickey.gpg" ] ; then
cp /usr/share/clamav-unofficial-sigs/publickey.gpg "$gpg_dir/publickey.gpg"
fi
+
+ # Detect which user the script will run from
+ # Will be 'clamav' unless the user customised the cron script
+ user="$(grep '^[^#]\+$' /etc/cron.d/clamav-unofficial-sigs | cut -d ' ' -f 6)"
+ group="$(id -ng "$user")"
+
+ if [ "x$user" != xroot ] ; then
+
+ # Ensure the directories are all writable for the cron user
+ for dir in "$gpg_dir" "$config_dir" "$ss_dir" "$msrbl_dir" "$si_dir" "$mbl_dir" "$add_dir"; do
+ if ! dpkg-statoverride --list "$dir" > /dev/null 2>&1 ; then
+ dpkg-statoverride --update --add "$user" "$group" 0755 "$dir"
+ chown -f "$user:$group" "$dir/*"
+ fi
+ done
+
+ # Create the log file and make it writable for the cron user
+ if [ ! -e "$log_file_path/$log_file_name" ] ; then
+ touch "$log_file_path/$log_file_name"
+ chown "$user:$group" "$log_file_path/$log_file_name"
+ fi
+
+ # Make all the files written by the script writable for the cron user on upgrade
+ if [ "x$2" != x ] && dpkg --compare-versions "$2" lt 3.5.4 ; then
+ for file in `cat "$config_dir/purge.txt" 2>/dev/null` ; do
+ chown -f "$user:$group" "$file"
+ done
+ fi
+ fi
fi
#DEBHELPER#
diff --git a/debian/prerm b/debian/prerm
index b30937d..35e3a8a 100644
--- a/debian/prerm
+++ b/debian/prerm
@@ -14,9 +14,12 @@ if [ "$1" = remove ] ; then
libdir=/var/lib/clamav-unofficial-sigs
if [ "x$config_dir" = x ] ; then config_dir=$libdir/configs ; fi
if [ "x$gpg_dir" = x ] ; then gpg_dir=$libdir/gpg-key ; fi
+ if [ "x$log_file_path" = x ] ; then log_file_path=/var/log ; fi
+ if [ "x$log_file_name" = x ] ; then log_file_name=clamav-unofficial-sigs.log ; fi
echo $purge > $purge
echo "$gpg_dir/publickey.gpg" >> $purge
+ echo "$log_file_path/$log_file_name"* >> $purge
if [ -s "$config_dir/purge.txt" ] ; then
cat "$config_dir/purge.txt" >> $purge
fi
diff --git a/debian/rules b/debian/rules
index 4672ed9..eda17ff 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,10 +5,12 @@
build: build-stamp
build-stamp:
dh_testdir
- cp clamav-unofficial-sigs-logrotate debian/logrotate
+ sed -e 's_root_clamav_g' \
+ < clamav-unofficial-sigs-logrotate > debian/logrotate
sed -e 's/bin/sbin/;s/\.sh//;s/ *-c *[^ ]*//' \
-e 's_^\([^/#]*\)\(/[^ ]*\)_\1[ -x \2 ] \&\& \2_' \
-e 's_/local__g' \
+ -e 's_root_clamav_g' \
< clamav-unofficial-sigs-cron > debian/cron.d
touch $@
--
packaging for clamav-unoffical-sigs
More information about the Pkg-clamav-commits
mailing list